Share via

Forcing Internet Explorer To Forget To Not Remember

All joking aside, last fall, I wrote about the variety of reasons why Internet Explorer might not offer to remember your password on a web form. As I mentioned then, you will not be re-prompted to save your password if you’ve previously declined to store the password for this username on this page by clicking “No” in the prompt:

Clicking No will prevent IE from storing this username/password combination

Internally, this “No” is stored as an entry (“Do not remember any passwords for Username=Eric for url =whatever”) in the Password List. Note: Data is stored as a list because you may have more than one username/password pair for a given page.

Unfortunately, there’s no easy way to reverse your decision if you later change your mind and do want to store the password[1]. Within IE itself, the only way to reset any “Do Not Remember” decision is to wipe all of your previously-stored passwords, for all sites (using the Delete Browsing History feature).

An explanation is in order.

When storing your passwords in the registry, IE doesn’t store the URLs in plaintext. Instead, it creates a registry entry[0] named by the string-serialized SHA-1 hash of the current URL (lowercased, removing query-string and fragment). The entry’s value is the password list, encrypted by the user account's master key[3]. Therefore, the raw URL isn’t stored in the registry, and isn’t really even recoverable[2], due to the nature of hashing. That’s why Delete Browsing History’s option “Preserve Favorites website data” cannot selectively wipe only non-Favorites’ passwords.

The one-way nature of hashing also means that even advanced users cannot easily find the right registry entry to manually delete in order to re-trigger the Remember Password? prompt. To mitigate this difficulty, I’ve put together a trivial utility that allows you to clear the password list for a specified URL. You can try it out by storing some passwords (or refusing to) using the Password AutoComplete test page, and then running this utility.

The IE Remember Password tool allows you to clear the entire password list for a specific URL.

It’s important to understand that this tool doesn’t attempt to edit the individual username/password combinations within the password list if you have more than one for a given page. As I mentioned, the Delete Browsing History feature wipes ALL passwords entries for ALL sites. This tool, in contrast, wipes all password entries for the specified URL only.

Update: Internet Explorer 10 on Windows 8 changes things a bit. On Windows 8 with IE10, IE no longer stores encrypted passwords in the registry; they're stored in the Credential Manager, which you can find by typing Manage Web Credentials in the Start Screen's search box; it'll be in the Settings section. However, this display does not show any of the "No password saved and do not ask" entries, and because those are no longer stored in the old registry key, this utility will not work on Windows 8.

 

-Eric

[0] Under HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2\
[1] In contrast, forcing IE to "forget" a single username/password is simple: Just use the down arrow key and delete key to remove the username from the dropdown list in the username form field.
[2] modulo dictionary attacks.
[3] The DPAPI function CryptProtectData is called to encrypt the salted blob. That API uses the 168bit 3DES algorithm on Windows Vista and earlier; on Win7 and later, it may use 256bit AES.

Comments

  • Anonymous
    April 09, 2010
    Many sites will inadvertently use a number of different document locations to present login credentials to users. An example is trademe.co.nz, on their homepage they have a Login link which is scripted with http://www.trademe.co.nz/Members/Login.aspx in the href value but displays a AJAX popup div on the containing page. So the location url that is stored with site credentials in IE's Password store is different depending upon which page on the site that they click the Login link. Third party Form Fillers or other browsers which use the form action uri as the key and not the window.location uri can handle this and will present autocomplete information regardless of the hosting page's location uri. Now I know there are security reasons for this behavior in IE and accept that it is the safer form autocomplete model. The problem is to educate developers to use design patterns that are safe and accomodate IE's more secure achitecture. A common problem I am seeing is that sites will deploy the Facebook api and also offer a Facebook login prompt on their sites. Here is a Answers thread about the issue. http://social.answers.microsoft.com/Forums/en/InternetExplorer/thread/a003fe96-8f64-4d4f-a1cd-a0d6291529b1 Regards.

  • Anonymous
    April 12, 2010
    Your IERememberPassword utility is a welcomed tool and will very helpful to IE8 users. Thanks, Eric!

  • Anonymous
    April 20, 2010
    Eric, I see in one of my customer's machine that the hashed values were stored in a location called "storage1" in the registry. How does IE determine where to store the values? Will this tool work even if the location is "storage1"?

  • Anonymous
    April 20, 2010
    The comment has been removed

  • Anonymous
    April 20, 2010
    Thanks for the clarification Eric. One more question -  Will IE remember passwords even if the form has more than 2 elements in it? Say, for example, it has username/some id/password and a captcha text. Will it store the username/password pair in the registry?

  • Anonymous
    April 21, 2010
    Did a repro at my machine for the above problem. Just posting here as information for other users: IE will not prompt to remember passwords if the form has more than 2 fields. One more entry to your 'variety of reasons'?

  • Anonymous
    April 21, 2010
    @Sriranga: It's already there: Case #4, which used to break Facebook.com before they fixed it.

  • Anonymous
    January 10, 2012
    Your utility is very slick, it did just what I wanted it to.

  • Anonymous
    January 12, 2012
    The comment has been removed

  • Anonymous
    February 11, 2012
    This is awsome - a tool that should be part of IE Simple and works great. thank you for sharing it!

  • Anonymous
    March 23, 2012
    Thank you so much for your blog! It's so helpful!

  • Anonymous
    April 14, 2012
    Can you then think of any other reason besides making a "do not remember this page's passwords" entry in the passwords list? Ever since trying to update the previously stored passord for this particular page, it will now no longer offer the option of saving its password/login info. (This is after clearing all passwords in history and closing and reopening IE, rebooting PC, etc, etc.) I have one persistant page that simply will not be remembered again and your tool indicates that nothing is saved for it in the list. I am seeing everything return to work correctly on other URLs.

  • Anonymous
    April 17, 2012
    @WhtRULknAt: Is the URL in question public? If not, can you email me a SAZ File (using Fiddler) so I can look at the page?  thanks!

  • Anonymous
    April 23, 2012
    I am running IE9 on a Windows 7 machine.  It  is having the same problem as everyone else.  I downloaded and ran your utility.  It found the password in the target URL and erased it, but the web site is still not prompting to remember the password.  When I run your utility now, it says there is no password saved.  Do you have any idea how I can get IE9 to prompt to save the password?  

  • Anonymous
    April 23, 2012
    @JMM: Without a URL, I can't help you.

  • Anonymous
    May 15, 2012
    Eric, I am having the same issue - I wiped the password data associated with this URL:  secure.ecollege.com/.../index.learn But now it does not prompt me to remember the login id and password fields.  How can I now reset the "remember" feature?

  • Anonymous
    June 25, 2012
    suh-WEET!  Thanks, it worked wonderfully!

  • Anonymous
    June 26, 2012
    The comment has been removed

  • Anonymous
    August 21, 2012
    Is there really no way to get to the "No password saved and do not ask" entries in IE 10 on Win 8? Thanks.

  • Anonymous
    August 21, 2012
    @Matt: There's no UI I've found for this. There's likely a way to get this data by calling a Credential Vault API, but I'm not an expert on that topic.

  • Anonymous
    August 25, 2012
    The comment has been removed

  • Anonymous
    August 29, 2012
    I used your utility to fix error #6 with IE9 using VISTA Home Basic and it found no entered password on my ATT/Yahoo opening page.  I still have to "sign-in" on the generic Yahoo/ATT entry page to access my Yahoo/ATT home page.  I'm unclear as to what I should do next.  Do I really need to delete all passwords stored on my PC? Thanks!

  • Anonymous
    August 29, 2012
    @ken: If the utility didn't fix this for you, you're not encountering problem #6 from my other post, and deleting your passwords is unlikely to help you.

  • Anonymous
    September 05, 2012
    Hey Eric,  Doing some testing and ran into a snag similar to some of the other comments. Using the test site www.debugtheweb.com/.../passwordautocomplete.asp I put in a username and password, submitted and told it to save the password. Next, used the tool and cleared the entry.   Now when I go to the site and enter a username/password then submit, the prompt to save the password appears on the screen for just a second (not long enough for me to go from submitt to yes). Any ideas? Win 7 Machine with IE 9. Thanks

  • Anonymous
    September 06, 2012
    @John: Typically, the "password save prompt appears but then quickly disappears" means that the login in question redirected from one domain to another. Does the prompt in question stay around if you start with this page: www.fiddler2.com/.../passwordautocomplete.asp

  • Anonymous
    September 20, 2012
    The comment has been removed

  • Anonymous
    October 12, 2012
    Thanks. Worked perfectly. I had accidently hit "do not remember" on my most commonly changed and used site. You've made life easy again.

  • Anonymous
    October 16, 2012
    Worked great. Extremely useful little utility. Thanks!

  • Anonymous
    October 23, 2012
    theirs one more thing that can cause the auto complete to not work and that's a third party program that turns it off.  i just wish i could figure which one it was lol  

  • Anonymous
    December 23, 2012
    hi help please my ie 10 in windows 8 doesn't ask me to save passwords although autocomplete password is properly configured.. how can i make ie 10 to remember password when i go to a password form

  • Anonymous
    December 27, 2012
    hi EricLaw Internet Explorer 10 Autocomplete would not prompt to save passwords fror some websites...Why? for yahoo mail it prompts to save the password when using IE 10 in windows 8 professional.. But for certain websites like gmail it wont prompt to save passwords.. How can i fix this issue .. Any help please... Thanx and regards Aravinda

  • Anonymous
    January 18, 2013
    This happened me on Win7/IE9, and the utility didn't fix it for me, buuuut...I typed in a username and password I knew to be incorrect, and it asked me to save that, I left the notification bar there, (not clicking yes or no), and the website redirected me again to the login page with a "bad password" message ( as expected), I entered the correct login details, pressed login, THEN clicked "yes" on the notification bar, and next time i went to the page the password was saved. This wont work if the URL it redirects you to is different than the original login page, but in my instance is was the same, it might help some people. EricLaw: I can't think of any reason that would help, but thanks for sharing it.

  • Anonymous
    January 30, 2013
    Thanks, your IERememberPassword utility worked great for me!

  • Anonymous
    April 21, 2013
    I tried this on ie 9 windows 7. I have deleted all browsing history and tried loggin in to hotmail.com IE will still not ask me to save passwords. I have set my autocomplete settings in IE to enable autocomplete for forms and checked also for usernames and passwords. I have enabled inline autocomplete too in the advanced ie settings tab page. Stuff like this breed frustration with Microsoft products.

  • Anonymous
    July 10, 2013
    Seems to work well on IE9.  Thanks very much! Great utility!

  • Anonymous
    August 28, 2013
    The comment has been removed

  • Anonymous
    October 01, 2013
    This URL: www.videoblocks.com/login won't prompt me to remember passwords even after running your cute tool. Could you advise on how to get that back? [EricLaw] This page didn't prompt you to store your password to begin with, because the password field has an autocomplete=off attribute. Fortunately, you'll find that IE11 puts you in control and offers to remember this site's password anyway.

  • Anonymous
    December 04, 2013
    The comment has been removed

  • Anonymous
    March 17, 2014
    The comment has been removed

  • Anonymous
    June 02, 2014
    im interested in seeing what form autocomplete data (rather than passwords) is stored on my machine, is it possible to extend your utility to decrypt and list those entries (not passwords)? thanks! p.s. i believe in Win 8 or might be more to do with IE version, the registry location of interest has changed to HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerIntelliFormsFormData

  • Anonymous
    November 09, 2014
    The comment has been removed

  • Anonymous
    January 28, 2015
    The comment has been removed